This vulnerability arises from improper neutralization of user-supplied input during web page generation in the Form Generator for WordPress plugin. The flaw permits an attacker to embed JavaScript that is stored in the form data and subsequently executed whenever the form is displayed to a visitor. Such stored cross‑site scripting can lead to session hijacking, credential theft, or defacement of the site. The weakness corresponds to CWE‑79, reflecting inadequate input validation and output encoding.

Site administrators using the Form Generator for WordPress plugin by tmontg1 should be aware that all versions from the first release through version 1.52 are affected. The problem exists in any deployment where the plugin is installed and not patched to a newer release beyond the stated limit.

The CVSS score of 5.9 indicates a moderate impact. The EPSS score of less than 1% suggests a low probability of exploitation in the current landscape, and the vulnerability is not listed in CISA’s KEV catalog. However, combined with the fact that the flaw allows persistent script injection, the potential damage is significant if an attacker were to target a site. The likely attack vector is through the plugin’s form input fields, where malicious payloads can be stored and later served to other users. Because the vulnerability is stored, any user who views the affected form will be exposed to the injected code.